Welcome to NBlog, the NoticeBored blog

May 30, 2005

The US Department of Defense clearly faces some serious information security risks. According to this presentation about security policies by ex-military man and honeynet security guru Lance Spitzner, the DoD recognizes seven levels of threat. “T1: Inadvertent or accidental events e.g. tripping over the power cord. T2: Passive, casual adversary with minimal resources who is willing to take little risk e.g. listening. T3: Adversary with minimal resources who is willing to take significant risk e.g. unsophisticated hackers. T4: Sophisticated adversary with moderate resources who is willing to take little risk e.g. organized crime, sophisticated hackers, international corporations. T5: Sophisticated adversary with moderate resources who is willing to take significant risk e.g. international terrorists. T6: Extremely sophisticated adversary with abundant resources who is willing to take little risk e.g. well-funded national laboratory, nation-state, and international corporation. T7: Extremely sophisticated adversary with abundant resources who is willing to take extreme risk e.g. nation-states in time of crisis.” Another way of looking at this is as a maturity model for information security. Is your organization ready to face threats at level T4 or T5? Can you afford to address T6?
More risk management resources

A handful of well known companies are caught up in a scandal over the use of a Trojan horse program for industrial espionage against selected targets. The story is a rather sketchy at present but it appears that police discovered the plot following a lead from an Israeli author whose London-based former son-in-law is accused of disclosing parts of a book he was writing. The existence of the Trojan is evidently not in dispute, along with the fact that it was distributed on a 'promotional CD'. The author, however, claims that it is legal and is 'not his fault' if it was misused for illegal/unethical purposes.
More malware and privacy links

May 27, 2005

ISO has earmarked the ISO 27000-series for the information security management standards including ISO 17799, BS 7799-2 and a new standard currently in preparation on security management metrics. This new website gives an overview and will gradually become a useful public resource for those implementing the ISO security standards.
More security standards links here

May 25, 2005

Humble "retail operatives" (till-clerks) who are supposed to check credit/debit card signatures against those on the cards should actually read them and challenge suspicious signatures. It seems some of them perform absolutely no checks whatsoever. This is another example of why security awareness should extend to everyone in the organization.
More security awareness links

The latest AusCERT computer crime and security survey says "Only 35% of respondent organisations experienced electronic attacks that harmed the confidentiality, integrity or availability of network data or systems (compared to 49% in 2004 and 42% in 2003)." ONLY 35%! Am I the only person who finds it perverse to regard a situation in which MORE THAN A THIRD of those surveyed suffered business impacts as a success? 3.5% maybe but not 35. This is an outrageous indictment of the state of information security.

May 21, 2005

"Security isn’t only about protecting your network from external threats; it’s also about protecting against threats from within. The first step to security is awareness; therefore, it’s important that all your employees know not only the potential threats but also how to recognize and prevent such threats. Education and awareness empowers each employee with the knowledge of his role in protecting the organization’s network. This, in turn, will go a long way toward mitigating risk." Well said Doug Schweitzer! This week's Processor magazine has several interesting articles on security awareness and policies.More risk management and security awareness links

May 19, 2005

Various infosec professionals have been commenting on the threat posed by new forms of malware used to install cryptic rootkits or spyware without alerting the user to their presence. It seems not all antivirus and antispyware software can detect these. There is a distinct possibility that a very specifically targeted chunk of malware could infect an organization or even an individual person, perhaps to wreak havoc with their systems or to disclose sensitive information. Call me paranoid if you like but the pieces are falling into place.
More malware links and risk management links.

"The crash of a critical legacy system at Comair is a classic risk management mistake ... the legacy system failed, bringing down the entire airline, canceling or delaying 3,900 flights, and stranding nearly 200,000 passengers. The network crash cost Comair and its parent company, Delta Air Lines, $20 million, damaged the airline's reputation and prompted an investigation by the Department of Transportation."

Executives stalled all attempts to replace the old crew scheduling system until eventually it failed in service. Reading between the lines of the story, however, it is not clear whether the proposed replacements would have presented even greater risks. Risk management decisions can be buggers.

May 18, 2005

Distributed Denial of Service attacks are being used to extort money from on-line businesses. This is hardly hot news but various experts in a Computerworld piece say this is an increasing threat. More interesting is the emergence of commercial tools to mitigate DDoS attacks, giving victims an alternative way to spend their money (I would be surprised if there were no free tools with the same aim out there, at least in development by the wonderful public-spirited open source community).
More risk resources

CERT has released a 45-page report into the threat of sabotage by insiders. As one might expect from CERT, it focuses on the threat to the IT elements with an emphasis on critical infrastructure although it includes examples in commercial settings.
More risk management resources here

May 15, 2005

Version 9 of Charles Cresson Wood's masterpiece contains more than 1,400 infosec policies in 727 just-over-a-dollar-each pages. How this volume of material makes writing policies "easy" is beyond me but some readers claim the book is good for suggesting the breadth of topics that might be covered in any policy area ... just don't try to write your own 727-page policy manual!
Why do we need security awareness?

May 14, 2005

Police are warning of a street con involving the sale of what purports to be a laptop, only the bags are swapped and victims find they have actually bought a load of rubbish [the police don't actually say which make of PC is involved].
More IT fraud links here

May 13, 2005

Another excellent US-CERT Cyber Security Tip helps people understand website certificates. This tip is a bit more technical than most but power users and IT workers should be aware of the implications of accepting and trusting digital certificates.
More internet security resources

A survey attributing $1.4 bn of additional costs to Sarbanes-Oxley compliance includes a subtle message. Banks, insurance and drug companies saw significant increases in their audit costs, but energy, utilities and retail companies saw even greater increases ... presumably implying that they had much more to do to reach compliance.
More IT governance links here

The Metropolitan Police, in conjunction with Companies House, is promoting a scheme for UK companies to sign-up for electronic filing of company records to reduce the opportunities for fraud. More IT fraud resources here

May 10, 2005

Verisign have found that the majority of people asked were willing to reveal their passwords for a $3 Starbucks coffee token. "According to the company, one executive who was too busy to respond to questions but still wanted a gift card sent his administrative assistant back to complete the survey. The assistant promptly revealed both the executive's password and her own." The survey team have no obvious/legal way to verify the passwords (which is presumably why this was labelled a "light-hearted and unscientific survey") but the take-home message in terms of a general disregard for information security is pretty clear.

A somewhat tongue-in-cheek diary/blog by a typical if fictional information security manager shows how security awareness is constantly pushed to the bottom of the in-tray.
More security awareness resources

ComputerWorld points out that new/changing laws such as those concerning the protection of vital information in effect create new liabilities (we would say "impacts") and new threats such as employees or business partners failing to comply with the new laws - in other words they affect information security risks.
More information security risk management and legal resources

May 5, 2005

There seems to have been a rash of security incidents involving the loss of backup tapes lately. Computerworld is now reporting that Time Warner lost an entire shipment of data backups en route to its off-site storage. The Register outlined a handful of similar incidents, pointing out that identity thieves would love to get their hands on backup tapes containing credit card numbers and other personal details, especially as so few are encrypted.More risk management, physical security, privacy and confidentiality links

The fifth newsletter from the ISMS (Information Security Management System) IUG (International User Group) contains two pages by Angelica Plate on the changes in ISO 17799:2005, due for publication in a month or two.
More security standards links

May 4, 2005

A report by the UK Home Office reveals that only one of 13 CCTV systems studied directly produced a statistically significant reduction in crime relative to comparable control areas without CCTV. This runs counter to the general perception, and the implication of previous Home Office and Police statements, that CCTV deters city-center crime. The report has implications for the cost-benefit and risk analysis of CCTV in private/commercial settings.
More risk management and physical security links

May 1, 2005

The Governance Focus blog has been going since September 2003. It covers governance very broadly and gives a fascinating insight into what's happening in the field. Well worth a look.
Other governance links here

Hot topic

NBlogger is ...

Dr Gary Hinson PhD MBA CISSP has an abiding interest in human factors - the ‘people side’ as opposed to the purely technical aspects of information security. Gary's career stretches back to the mid-1980s as both practitioner and manager in the fields of IT system and network administration, information security and IT auditing. He has worked and consulted in the pharmaceuticals/life sciences, utilities, IT, engineering, defense, financial services and government sectors, for organizations of all sizes. Since 2003, he has been creating security awareness materials for clients (www.NoticeBored.com) and supporting users of the ISO27k standards (www.ISO27001security.com). In conjunction with Krag Brotby, he wrote "PRAGMATIC security metrics" (www.SecurityMetametrics.com). He is a keen radio amateur, often calling but seldom heard by distant stations on the HF bands.